Policy-based Multihost Multistage Vulnerability Analysis
Abstract:
To determine the security impact software vulnerabilities have on a
particular network, one must consider interactions among multiple
components of the operating systems and multiple hosts. For a
vulnerability analysis tool to be useful in practice, two features are
crucial. First, the model used in the analysis must be able to
automatically integrate formal vulnerability specifications from the
bug-reporting community. Second, the analysis must be able to scale to
networks with thousands of machines.We show how to achieve these two goals by presenting MulVAL, an end-to-end
framework and reasoning system that conducts multihost, multistage
vulnerability analysis on a network. MulVAL adopts Datalog as the modeling
language for the elements in the analysis (bug specification,
configuration description, reasoning rules, operating-system permission
and privilege model, etc.). We easily leverage existing
vulnerability-database and scanning tools by expressing their output in
Datalog and feeding it to our MulVAL reasoning engine. Once the
information is collected, the analysis can be performed in seconds for
networks with thousands of machines.We implemented our framework on the Red Hat Linux platform. Our framework
can reason about 84% of the Red Hat bugs reported in OVAL, a formal
vulnerability definition language. We tested our tool on a real network
with hundreds of users. The tool detected a policy violation caused by
software vulnerabilities and the system administrators took remediation
measures.This report was last updated on Feb 10, 2005.